{"id":88600,"date":"2023-03-29T06:52:00","date_gmt":"2023-03-29T06:52:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=88600"},"modified":"2023-03-29T06:52:00","modified_gmt":"2023-03-29T06:52:00","slug":"new-north-korean-apt-launders-crypto-to-fund-spying-programmes","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88600","title":{"rendered":"New North Korean APT launders crypto to fund spying programmes"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/03\/new-north-korean-apt-launders-crypto-to-fund-spying-programmes.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Threat researchers at Google Cloud\u2019s Mandiant have attributed a campaign of cyber criminal activity out of North Korea to a newly designated <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/advanced-persistent-threat-APT\">advanced persistent threat actor<\/a>, APT43, in its first official \u201cupgrade\u201d in six months.<\/p>\n<p>Mandiant said APT43 was a prolific threat actor operating on behalf of North Korea\u2019s regime, and like many other groups operating from the impoverished and isolated state, its stock-in-trade is financially motivated cyber crime.<\/p>\n<p>Its researchers have been tracking the group\u2019s activity since 2018, poring over reams of research data and connecting the dots between various incidents, but only now has it gathered enough evidence to be able to make a formal attribution.<\/p>\n<p>APT43\u2019s priorities align with the mission of North Korea\u2019s foreign intelligence unit, the Reconaissance General Bureau (RGB), and its primary focus is the laundering of cryptocurrency to buy operational infrastructure in such a way that it reduces the need for central government to spend much-needed funds. This aligns with the state\u2019s Juche ideology of self-reliance.<\/p>\n<p>Its targeting has heretofore been mainly against targets in South Korea, Japan, Europe and the US in a wide range of sectors, including government, business and manufacturing. Like many other North Korean advanced persistent threats (APTs), it also targets educational and research institutions, and organisations such as political thinktanks that deal in <a href=\"https:\/\/www.computerweekly.com\/news\/252522742\/How-hostile-government-APTs-target-journalists-for-cyber-intrusions\">regional geopolitics and especially nuclear policy<\/a>.<\/p>\n<p>\u201cIn Europe, concerns for this group should be focused more on the espionage side than on revenue-generation activities, which have been more common in the US,\u201d said Mandiant principal analyst Michael Barnhart.<\/p>\n<p>\u201cDuring the pandemic, parts of APT43 had secondary objectives to acquire Covid-19 vaccine-related information in addition to their mandate surrounding strategic nuclear and foreign relations efforts, so we saw them target thinktanks and policy-making organisations, foreign relations entities, and governing bodies in Europe to try to achieve this goal.<\/p>\n<p>\u201cWe\u2019ve also seen the group posing as journalists to inquire into matters of intelligence interest to the DPRK regime, targeting European organisations. Some of these information-seeking messages contain no payloads and are simply meant to establish a rapport, but others have malware-laden documents or links in the form of a news questionnaire to send back to the attackers,\u201d said Barnhart.<\/p>\n<p>&#8220;We\u2019ve seen APT43 be extremely successful with these fake reporter emails, generating high success rates in eliciting a response from targets. This serves as a reminder to verify the addresses and identities of the people you\u2019re speaking to.\u201d<\/p>\n<p>APT43 deploys <a href=\"https:\/\/www.computerweekly.com\/news\/365532100\/Nine-in-10-enterprises-fell-victim-to-successful-phishing-in-2022\">phishing emails and social engineering tactics<\/a> to compromise its victims, and does not seem to be actively interested in zero-day exploits, said Mandiant.<\/p>\n<p>The group has been observed creating numerous spoofed or outright fraudulent personas that it uses in social engineering, and its operatives often present themselves as key individuals in their target area, such as high-profile diplomats or geopolitical analysts.<\/p>\n<blockquote class=\"main-article-pullquote\">\n<p><figure> \u201cWe believe North Korea has become increasingly dependent on its cyber capabilities, and APT43\u2019s persistent and continuously developing operations reflect the country\u2019s sustained investment and reliance on groups like APT43\u201d <\/figure><figcaption> <strong>Mandiant researchers<\/strong> <\/figcaption><i class=\"icon\" data-icon=\"z\"><\/i> <\/p>\n<\/blockquote>\n<p>It uses stolen personally identifiable information (PII) on such individuals to create convincing accounts and domains to fool their targets.<\/p>\n<p>It also creates cover identities for purchasing operational tooling and IT infrastructure for its paymasters.<\/p>\n<p>Where it does use malware, APT43 has been observed using a relatively large toolkit of publicly available tools, including gh0st RAT, QUASARRAT, AMADEY and the LATEOP VisualBasic backdoor, but has also been seen developing its own variants in-house, notably an Android-variant of the PENCILDOWN Windows-based downloader.<\/p>\n<p>Ultimately, APT43\u2019s goal seems to be to use the cryptocurrency it steals to buy hash rental and cloud mining services to provide hash power, which it then uses to mine cryptocurrency to a wallet selected by itself without any blockchain-based association to its original payments. Effectively, it launders cryptocurrency by using stolen funds to create clean funds.<\/p>\n<p>Mandiant said the group was clearly self-supporting and able to fund its own operations, and that barring a drastic change in North Korea\u2019s priorities, or the downfall of its regime, would remain prolific in carrying out espionage campaigns and financially motivated activities in support of its goals.<\/p>\n<p>\u201cWe believe North Korea has become increasingly dependent on its cyber capabilities, and APT43\u2019s persistent and continuously developing operations reflect the country\u2019s sustained investment and <span role=\"presentation\">reliance on groups like APT43,\u201d the research team concluded.<\/span><\/p>\n<p>\u201cAs demonstrated by the group\u2019s sudden but temporary shift towards healthcare and pharmaceutical-related targeting, APT43 is highly responsive to the demands of Pyongyang\u2019s leadership.<\/p>\n<p>\u201cAlthough spear-phishing and credential collection against government, military <span role=\"presentation\">and diplomatic organisations have been core taskings for the group, APT43 ultimately modifies its targeting and tactics, techniques and<\/span> procedures to suit its sponsors, including carrying out financially motivated cyber crime as needed to support the regime,\u201d they added.<\/p>\n<p>More information on APT43, including indicators of compromise (IoCs), <a href=\"https:\/\/mandiant.widen.net\/s\/zvmfw5fnjs\/apt43-report\">can be downloaded here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat researchers at Google Cloud\u2019s Mandiant have attributed a campaign of cyber criminal activity out of North Korea to a newly designated advanced persistent threat actor, APT43, in its first official \u201cupgrade\u201d in six months. Mandiant said APT43 was a prolific threat actor operating on behalf of North Korea\u2019s regime, and like many other groups [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":88601,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-88600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88600"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88600\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88601"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}